DEFCON 22 Shines Light on More SOHO Security Woes

The SOHOpelessly competition marked the first of, hopefully, many consumer router hacking competitions that continue to apply pressure on vendors to get their security act together.

Throughout the competition, with only a handful of hours and a few available routers for reference, I was able to find zero-day vulnerabilities in the majority of the track 0 ‘up-to-date’ targets. Even more discouraging was the security posture and responsiveness from vendors, like NETGEAR, with the latest firmware containing vulnerabilities that have been repeatedly reported and even fixed for some models.

In addition, the latest firmware for targeted Belkin models also contained flaws reported in various models by nCircle back in 2012, as well as by ISE researchers in 2013. Although, to their credit, the Belkin and Linksys security teams are taking steps to improve their security posture.

D-Link, on the other hand, impressed me in their PSIRT response. Despite the model being ‘phased out,’ D-Link still put in the appropriate time to identify affected models and even sent me an updated firmware before the contest.

My colleague Ian Turner and I also dominated the track 1 competition as team VERT by accumulating 15,000 points (6 flags) in under 4 hours of banging on ISE’s collection of routers.

EFF, ISE and Itus deserve big props for helping push the envelope on home router security. Look out for more vulnerability information on The State of Security as we coordinate with vendors and determine how to best minimize consumer risk.

RELATED ARTICLES:

RESOURCES:

Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.